tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Database Audit
    Documentation
    Download PDF

    Authorizing Sub-account to Use Database Audit

    Last updated: 2021-08-25 19:07:54
    Download PDF

      By default, sub-accounts have no permission to use TencentDB for MySQL Database Audit. Therefore, you need to create policies to allow sub-accounts to use it.
      If you don't need to manage sub-accounts' access to resources related to TencentDB for MySQL Database Audit, you can ignore this document.

      Cloud Access Management (CAM) is a web-based Tencent Cloud service that helps you securely manage and control access to your Tencent Cloud resources. By using CAM, you can create, manage, and terminate users and user groups. You can manage identities and policies to allow specific users to access your Tencent Cloud resources.

      When using CAM, you can associate a policy with a user or user group to allow or forbid them to use specified resources to complete specified tasks. For more information on CAM policies, please see Syntax Logic.

      Authorizing Sub-account

      1. Log in to the CAM console as a root account, select the target sub-user in the user list, and click Authorize.
      2. In the pop-up window, select the QcloudCDBFullAccess or QcloudCDBInnerReadOnlyAccess preset policy and click OK to complete the authorization.
        Note:

        MySQL Database Audit is a module in TencentDB for MySQL, so the above two preset policies of TencentDB for MySQL already cover the permission policies required by it. If the sub-user only needs the permission to use this module, please see Custom MySQL Database Audit Policy.

      Policy Syntax

      The CAM policy for MySQL Database Audit is described as follows:

      {     
       "version":"2.0", 
       "statement": 
       [ 
          { 
             "effect":"effect", 
             "action":["action"], 
             "resource":["resource"]
          } 
      ] 
}
      • version is required. Currently, only the value "2.0" is allowed.
      • statement describes the details of one or more permissions. It contains a permission or permission set of multiple other elements such as effect, action, and resource. One policy has only one statement.
      • effect is required. It describes the result of a statement. The result can be "allow" or an "explicit deny".
      • action is required. It describes the allowed or denied action (operation). An operation can be an API (prefixed with "name") or a feature set (a set of specific APIs prefixed with "permid").
      • resource is required. It describes the details of authorization.

      API Operation

      In a CAM policy statement, you can specify any API operation from any service that supports CAM. APIs prefixed with name/cdb: should be used for Database Audit. To specify multiple operations in a single statement, separate them with commas as shown below:

      "action":["name/cdb:action1","name/cdb:action2"]

      You can also specify multiple operations by using a wildcard. For example, you can specify all operations beginning with "Describe" in the name as shown below:

      "action":["name/cdb:Describe*"]

      Resource Path

      Resource paths are generally in the following format:

      qcs::service_type::account:resource
      • service_type: describes the product abbreviation, such as cdb here.
      • account: describes the root account of the resource owner, such as uin/326xxx46.
      • resource: describes the detailed resource information of the specific service. Each TencentDB for MySQL instance (instanceId) is a resource.

      Example:

      "resource": ["qcs::cdb::uin/326xxx46:instanceId/cdb-kf291vh3"]

      Here, cdb-kf291vh3 is the ID of the TencentDB for MySQL instance resource, i.e., the resource in the CAM policy statement.

      Example

      The following example only shows the usage of CAM. 

      {
 "version": "2.0",
 "statement": [
     {
         "effect": "allow",
         "action": [
             "name/cdb: DescribeAuditRules"
         ],
         "resource": [
             "*"
         ]
     },
     {
         "effect": "allow",
         "action": [
             "name/cdb: CreateAuditPolicy"
         ],
         "resource": [
             "*"
         ]
     },

     {
         "effect": "allow",
         "action": [
             "name/cdb: DescribeAuditLogFiles"
         ],
         "resource": [
             "qcs::cdb::uin/326xxx46:instanceId/cdb-kf291vh3"
         ]
     }
 ]
}

      Custom MySQL Database Audit Policy

      1. Log in to the CAM console as the root account and click Create Custom Policy in the policy list.
      2. In the pop-up window, select Create by Policy Generator.
      3. On the Select Service and Action page, select configuration items, click Add Statement, and click Next.
        • Service: select TencentDB for MySQL.
        • Action: select all APIs of MySQL Database Audit.
        • Resource: for more information, please see Resource Description Method. You can enter * to indicate that the audit logs of all TencentDB for MySQL instances can be manipulated.
      4. On the Edit Policy page, enter the Policy Name (such as SQLAuditFullAccess) as required and Description and click Done.
      5. Return to the policy list and you can view the custom policy just created.
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2023 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy